☑️ Prevent containers from having unnecessary system call privileges
Seccomp is a mechanism to restrict the actions available within the container by restricting system calls that a process could make. The seccomp profile of a container is set within its securityContext, and can be set at pod level or at container level.
Running containers/Pods with the seccomp profile unconfined means one less isolation layer to protect your cluster. This is advised against by the security community, as it can give attackers dangerous privileges.
No container in your cluster should run unconfined, especially in production environments.
In Kubernetes versions earlier than 1.24, the default seccomp profile of containers is unconfined, which means that all pods that do not specify a seccomp profile will be susceptible to this threat.
Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: medium (What does this mean?)
Policy as code identifier: CONTAINERS_INCORRECT_SECCOMP_PROFILE
This rule will fail
If a seccompProfile is not configured, or has a type other than Localhost or RuntimeDefault:
spec:
securityContext:
seccompProfile:
type: Unconfined
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent containers from having unnecessary system call privileges [1 occurrence]
💡 Incorrect value for key `seccompProfile` - set an explicit value to prevent malicious use of system calls within the container
How to fix this failure
Set the seccompProfile type to Localhost or RuntimeDefault:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault